KRACKdown: dealing with the attack on Wi-Fi

On 16 October it was discovered by researchers that there are several major security vulnerabilities in Wi-Fi networks protected by Wi-Fi Protected Access 2, or “WPA2”, the industry-standard Wi-Fi encryption. Hackers have been, and continue to be, able to exploit and steal sensitive information being shared over such networks.  Such attacks, known as Key Reinstallation Attacks, or “KRACKs”, leave anyone using a Wi-Fi network using WPA2 vulnerable to data monitoring, modification and theft. 

The key things you should know about the significance of the threat:

• A “KRACK” can occur when a user connects to a Wi-Fi network. This is not limited to the first time a user connects to (or “shakes hands with”) the Wi-Fi hotspot using a secure password. Over the course of a browsing period, a user drops in and out of Wi-Fi connection without realising it and each time the user re-connects it “shakes hands” with the Wi-Fi network again.
• There are serious threats of malware. Beyond the risk of data monitoring, modification and theft, hackers are also able to inject malware, including ransomware, onto a user’s device. This is particularly serious as such malware may only deploy once the device is connected to a corporate network (including through a network cable) at which point the hacker may be able to deploy a cyber-attack.
• “Internet of Things” devices are most vulnerable. While many operating system providers are now issuing updates to their systems (which you should install as soon as they are made available), updates to Internet of Things devices are likely to come much slower. However, the data being shared by digital cameras and smart TVs, and such like, is likely to be of less interest to hackers.
• Evidence suggests there is no quick fix. It has transpired that Wi-Fi providers have known about the risks of KRACKs for as long as 3 months and have not fixed the vulnerabilities, suggesting there are no quick wins.

Though, there are some limitations:

• A hacker must be in close proximity to a particular Wi-Fi network make a “KRACK”.  A hacker must be as close as approximately 30 feet to a device or Wi-Fi access point. This is an important limitation, but does not materially limit the scope of the threat of targeted attacks given the millions of Wi-Fi connections.
• Secure connections may not be compromised. Britain’s National Cyber Security Centre said in a statement that the weaknesses would not compromise connections to secure websites, such as banking services or online shopping. Other encrypted connections, such as virtual private networks, or “VPNs”, may also not be compromised.
• The vulnerabilities have not yet been exploited. The researchers who discovered the weakness in WPA2 were able to demonstrate a KRACK but no one has been reported to have been directly compromised.

Key legal questions for businesses:

• Do I have to act now? Does not acting lead to non-compliance with IT and data security laws? There is a general obligation for companies to take a risk-based approach to ensuring cyber security. For companies that are deemed to be vital for the economy and society (for example, companies in the EU or US in the energy, digital, financial market, healthcare, transport or water infrastructures), there is a specific obligation for IT security measures to be appropriate and proportionate and to have regard to the state of the art. Therefore, all companies should ensure that known vulnerabilities, such as to KRACKs, are remedied (or “patched”) as soon as possible. Non-compliance may lead to fines and/or liabilities depending on the national regime your company is subject to. Specifically:
  • the US FTC, amongst other authorities, is monitoring how certain sectors are ensuring their security patch practice; and
  • if you are processing personal data of EU citizens, the General Data Protection Regulation (the “GDPR”), effective from May 2018, introduces certain IT security obligations you should also check (such as carrying out a data protection impact assessment and introducing privacy by design). A data breach that is based on non-compliance with these IT security requirements may lead to massive fines.  Penalties for non-compliance with the GDPR are up to US$23 million (€20m) or 4% of worldwide annual turnover, whichever is greater.
• Do I have notification obligations? Companies that qualify as critical infrastructures in the EU, for example, are in general required to report – “without undue delay” –  any cyber incidents that have a significant impact on the continuity of their services. Similarly, the GDPR requires companies to notify breaches relating to personal data to the affected individuals. Therefore, as far as the KRACK vulnerability has not yet been exploited by hackers impeding on your company's services, there is no immediate notification action to take. 
• Do I have to actively investigate any data breaches? An obligation to investigate whether data breaches have already happened due to the KRACK is difficult to determine in general. As soon as you are aware of a data breach, obligations to notify authorities and subjects of the data within a short period may be triggered (see, for example, the new guidance on this topic from the European Data Protection Authorities on the upcoming GDPR).  Clearly, your IT and data security governance should be structured in a way to ensure your company's stakeholders are made aware of any data breach in due course. 
• Cyber Insurance: In any case, you should be vigilant to patch the KRACK vulnerability in your company's system as soon as the security patches are made available (if they do not update automatically). As the KRACK vulnerability is now publicly known, not patching may affect your company's cyber insurance – for example, certain policies may become void for not keeping the IT security measures up to date.